Privacy Act amended to increase penalties up to $50 Million

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

Main objectives of the Bill

As discussed in our previous article, the main objectives of the Bill are to increase maximum penalties that can be applied under the Privacy Act 1988 (Cth) (Privacy Act) for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:

  • $50 million;
  • three (3) times the value of any benefit obtained through the misuse of information; or
  • 30% of a company’s adjusted turnover in the relevant period.

The Bill now also:

  • provides the Australian Information Commissioner with greater powers to resolve privacy breaches;
  • strengthens the Notifiable Data Breaches Scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in each breach to assess the risk of harm to individuals;
  • equips the Australian Information Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers; and
  • amends the Privacy Act’s extraterritorial provisions, so that “even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.

Disputes with section 13G of the Bill

While most participating stakeholders approved of the Bill, several shortcomings were highlighted.  The new penalty framework including the concept of a “benefit” derived from a data breach was questioned.  The Law Council and Business Council of Australia expressed the concern of quantifying an exact “benefit” obtained from a privacy breach.  In this instance the Attorney-General’s Department (AGD) had said that there was no intention to suggest that a ‘benefit’ occurred in all instances of a data breach.  Instead where there is no evident benefit, the first branch of the $50 million penalty is triggered.  Another concern raised was that the maximum penalties were too high for the following reasons:

  • they would apply in multiple data breach contexts ; and
  • they would be applied to small business and even charitable organisations in certain instances.

In response to this, the Australian Privacy Commissioner, Angelene Falk acknowledged that the penalties would apply as stated above however, it was claimed that the method of civil penalties would always be the relied upon enforcement option by the Office of the Australian Information Commissioner (OAIC).

OAIC’s response

The OAIC has welcomed the Bill with Angelene Falk stating

The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation.”

What does this means for Australian businesses?

The Privacy Act is applicable to businesses with an annual turnover of $3 million or more.  If your business is governed by the Act, they should take reasonable steps to ensure they are compliant with the Australian Privacy Principles (APPs).  This can include:

  • ensuring adequate security systems are in place to protect against unauthorised access, use or loss of data;
  • developing and implementing response plans in line with the Notifiable Data Breach requirements to prevent and control data breaches, should they occur; and
  • preparing, adopting and publishing a Privacy Policy that complies with Australian privacy law.

Takeaways

It’s been said that the intention of the Australian government was that the Bill would be the first stepping stone into the “great pool” of privacy legislation reform.    It does seem quite coincidental that the increased penalties happen to coincide neatly with the recent large-scale data breaches of Optus and Medibank..  Whether a larger penalty regime will stimulate investment in more robust IT systems is difficult to anticipate.

Links and further references

Related articles

New privacy bill to be put before commonwealth parliament

7-Eleven customer survey: do privacy policy terms equal consent?

OAIC Notifiable Data Breaches report – July 2020

Uber breaches Australian privacy laws

Legislation

Privacy Act 1988 (Cth)

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Further information on the changes to the Privacy Act

If you are a business and need advice on compliance with privacy laws contact us for a confidential and obligation free and discussion:

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 (Preferred)
Mobile: 0419 726 535
e: mburrows@dundaslawyers.com.au

 

Disclaimer

This article contains general commentary only.   You should not rely on the commentary as legal advice.   Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Send this to a friend